BG - Building an Empire with PowerShell Will Schroeder & Justin Warner

meaning to be in the breaking ground track then perhaps you should go find another track uh like you to welcome today will schroer and Justin Warner from varis group to talk to us about some Powershell food and good stuff gentlemen yeah this is building an empire with Powershell this is our super awesome little totally not ripped off from Star Wars logo that we have with the poell thing inserted into it so but first things first before anything else this project is heavily built upon the awesome work of a lot of other people a big thing with Empire is that we want to weaponize and bring a lot of the offensive Powershell work to the rest of

kind of The Wider pentest community and bring it to everybody in a way that can be really easily used in operations so because of that a lot of the modules and underlining stuff in the background is built on work from especially manifestation and obscure sect the powerit project Carlos Perez dark operator Lee Christensen tikin actually built some really cool uh net in uh unmanaged code spaces type stuff that we use for injection you know Ben 10 mg in WJ Computing and our Enigma ox3 our uh ATD Padawan the rest of the awesome offensive Powers Shell community we love you guys so my uh my name is W Shader my handle is harm jooy I'm a security

researcher and red teamer for the Adaptive threat division of vars group out in Northern Virginia I'm a co-founder of the veil framework so Veil as if any of you guys have used that on engagements I wrote a big chunk of that I'm a co-founder and developer on power tools which is a set of offensive Powershell um kind of scripts and projects I work on that with Justin and IAL I've talked to a few con shuk con Carolina con Defcon last year Derby con but bsid Las Vegas is definitely one of my favorite conferences out there so I'm Justin Warner so I joined varish group about a year ago I'm the red team capability lead so I do a lot of our

Advanced engagements against commercial customers I'm also working with Will on Veil power tools I spent a lot of time developing that did a little bit of work on the veil framework I have a lot of varied interest so I bounce between reverse engineering and defensive stuff but I also like studying and using it on the offensive world you can cat a lot of the same stuff that will said uh we do a lot of the same work if you're interested in talking about what we do or looking for a job please definitely hit us up so we're going to be going over lots of different things today we're going to kind of start generalized and go through

uh offensive malware or uh rats and how use them some generic characteristics about them and then we're going to dive straight into how we actually use these thoughts to build our own rat uh and and put it out for public use we're going to roll through some modules that we built I think we're up to 90 now uh and demo the tool as well as talk about how to take it down we try not to do too much offensive stuff without providing some defensive guidance or tell people how they could stop it you know should they see it in a real environment so we always kind of start our talks with a uh with a you know prep

pendum with a red team philosophy and so for us red teaming means a lot of different things different groups do it different ways some people focus on physical operations some people focus on integrating different things we primarily focus on training Defenders and so whenever we do red team operations uh for us we we want to provide a service and we want to provide skills to defenders in their own environment so it's a pretty key thing let Defenders learn in their own environment with their own tools so that should a real thing happen uh they get to use it this plays into Empire specifically because one of the main motivations for us writing it is we

wanted to train Defenders uh in stopping Powershell attacks in their own environment we do assume breach so you know we don't necessarily always focus on that initial exploitation Vector we focus heavily on post exploitation and the actions of an offensive person once they're in the environment and so you'll notice a lot of the modules we do or a lot of the work that's been done in this tool is mainly suited around making this usable as a post exploitation agent so why write malware well you know previously we had been using commercial tool sets entirely uh we never wrote any of our own stuff we really didn't have much of a development framework will did a lot of work on the Powershell side

doing Power view and some other tools which kind of segwayed well for us uh and made it easy for us to transition to actually writing our own agent uh ideally the first reason we started doing this was because we showed up on an engagement and within the first day we popped like 237 alerts and like well this isn't really training for Defenders because they called us in the first hours of the engagement and so overnight we had to stop and figure out how we were going to do some sort of custom work on this engagement and for us we had kind of had this drafted um but it even more motivated us to continue the

work uh some other reasons who doesn't want to have a dream rat with all the capabilities their team actually uses as opposed to having to adapt to other tool sets that was a big player for us and then when we started seeing things like pow lick come out or other Powershell variants or power being used in you know the evil AP attacks with macros and all sorts of other things we wanted to see if we could really Center on training the good guys how to stop this and for us that was actually building our own um malware with it and and deploying in environments where we're operating so lots of people uh will bash an offenders or offensive staff they say

you know why aren't you using all your skills to do good things instead of bad uh we try to really focus on the Union between the two we believe that offensive and defensive are together especially in the red team spaces and so without a little bit of practice you never know how you're going to actually square off uh nothing we're releasing here is is is super mind-blowing uh it's not going to evade any of these crazy network products it's not you know the Next Generation rootkit it's not a stuck net level thing we're releasing something that's realistically meant to be used by Red teams uh it actually is actually it's overly easy to stop once

you actually start performing some analysis on it and we built it that way we built it to encourage defensive people to actually go in and do the analysis and reap the rewards should they actually do that so offensive Powershell this one of my favorite quotes from um obscure SEC from the power exploit project he likes to call a Powershell Microsoft post exploitation language it's supposed to be meant as kind of a a system Automation and a management type framework but once we really started to get into it about a year and a half ago it's been awesome for operations and it's really changed the way that we focused and operated on engagements so why use Powershell if you

guys aren't on if you are a pin tester and you're not using Powershell in current engagements I would highly recommend checking it out considering integrating into your workflow so Powershell provides out of the box full access to the Net Framework in the back end you can actually think of powershell.exe essentially as a wrapper for the net automation component in the back end so you can do things you can create um you know web clients download stuff access anything you could in the full. net stuff you can kind of implicitly get by some application whitelisting unless people explicitly started loing down in targeting Powershell which we can you kind of talk about after if you're interested in that

type of thing you can get full direct access to the windows 32 API and you can assemble malicious binary fol and memory and going through a lot of these components you we realize you can write fully functioning malware in power shell without using anything else which is essentially what we've done with Empire there's a great post called why chose po shells an intact platform by m rabber one of the power exploit authors I encourage everybody to check it out and also a lot of bad guys are using power shell so a lot of nation states even though they typically have had uh like C and C++ agents historically a lot of the uh AP groups and even some of the

more mid-level actors have started integrating Powershell into their attack flow you know power liix was a really interesting pure Powershell variant that came out uh over the last year deep Panda was known to use Powershell and breaching think tanks the apt29 actor which Mt rber talked about this morning through wmi they also integrated pow shell and lot of their attack sets so if you read a lot of these threat type reports that examine specific actors a lot of the more advanced ones over the last two years if you read through the tradecraft Section you'll actually see that they have started to use Powershell more and more and more typically it's been for kind of like a loading

component to actually load up the rest of their agent but some of them have started to use uh the pure offensive capabilities of Powershell more and more so existing stuff that's already out there in Powershell the powerit project offers everything from screenshots key logging there's the equivalent of incognito called invoke token manipulation and of course everyone's favorite Mimi cats which we'll go over later in the project uh later in the presentation there's a pure po Shel implementation called invoke mimic cats so any function that you can use in mimic cats not just uh grabing passwords but you know keros and everything else you can do purely Power Shovel staying off the disc Power view is a tool that uh I wrote which is a

networking domain situation awareness tool which heavily factors into a lot of the modules in Empire power up is another tool I wrote which is a privilege escalation kind of automation script which will'll check for common priv vectors power breach is a tool that Justin and written that kind of have some additional um like in memory type of persistence mechanisms that are really interesting and POS seod by Carlos Perez has a lot of like active directory and post exploitation stuff so while there's a whole lot of really awesome Tech out there for offensive Powershell one of the things we started to notice is the weaponization problem so if you're on a pen test how do you actually execute

these Powershell scripts and get the results back in a secure manner how do you trigger it that's the biggest problem that I've seen for uh that's caused the lack of adoption of offensive poers Shell by the general pentest community so using the existing power shell stuff at this point also hasn't been super straightforward you know this execution policy stuff whether you have to RDP in whether you're doing a oneliner with a download cradle and people aren't familiar with it the fact you have the pipeline the fact you have to format your output the fact that you have all these weird little kind of um subtleties with Powershell that once you learn them it's not too much of a

problem you kind of know how to operate with it but at the time that kind of little learning curve is it can be an issue so this is the problem we're trying to solve we want to solve the weaponization problem so we can bring all this offensive Powershell Tech to everybody to use even if you don't know how to use Powershell so looking at all this Powershell stuff you know I thought about nine months ago or so you're like well weird key loggers and mimic cats and screenshots like these are all the functions and capabilities of a rat this is everything you're going to have interpreter this is everything you're going to have in you know whatever

whatever your kind of agent of choice is why hasn't there been a pure Powershell route at this point everyone tends to use these scripts as kind of augmented capabilities but there hasn't been a pure Powershell um remote access tool variant that actually integrates all of it together so when we first started kind of going down the development path the the ideas spurred uh will came to me and said I think it would be really really cool to do this and I was like well let's figure out exactly what we want and so I I did a lot of work doing reverse engineering of malare previous job and so I'd seen a lot of different stuff I'd seen all different variants of

of malware crime wear loaders uh root kits injection capabilities I'd seen it all implemented in a ton of different ways and really we really wanted to boil down to a couple unique requirements or unique things from that um that we felt it was important to have in a rat so you know what what was actually operationally important to what we were doing so we like to distinguish between a rat and a back door for us a rat is focused on the actual interaction and control of a um enduser system so the endpoint that you're actually controlling uh the center point for us was not necessarily persistence or how you were going to get rebooted or how

the in-depth work was going to uh you know doing injection um they all played into it but we wanted to focus on control of the system and and collection of user data uh when you start thinking about that there's all different things that come into play here's a list of a bunch of them uh we could go on forever all the different factors or characteristics that play into a rat um you can look at all these same things when you look at meterpreter or um commercial Frameworks whether it's in uendo or Cobalt strike uh the they all Implement these Central themes so starting with the staging problem staging is the idea that um traditionally malware will deliver a

very small stub uh to the Target initially this is for lots of reasons number one that stub is usually going to be very vulnerable it could be captured or it could be caught by an antivirus or some sort of host Bas IDs um and you don't want your full agent to be the thing that gets caught you want to start with some sort of loading capability the staging problem is what we call the the issue where how do you deliver uh your full agent to either memory or disc and a secure capability um you know interpreter before it was had all the recent additions had a lot of problems with staging a lot of most most common

antiviruses had started to Signature it signature the user agents and the resources that were involved and so it was very tough to use and you don't want that to happen you want variance and you want the ability to change that that plays into the staging problem it can be very noisy uh in a network if you have a 2 megabyte agent that's that Stager is going to have to download 2 megabytes um and That Could That Could flag in some cases it depends on how secure the networks were we mostly work in Fairly mature commercial networks so uh places that have a very mature sock incident response capability some of them have fullon hunt teams where they're actively

paring the network looking for bad guys proactively meaning that we had to be conscious of all of this when we were implementing these different characteristics next slide The Next Step so you deliver a stage you deliver your agent command and control how do you actually want to communicate out of the network we do a mix of uh blackbox external assessments as well as internal assessments so for us it was a definite requirement to have whatever we did had to be able to communicate outside of networks with strong boundary protection uh so these include things like proxy and firewalls and IDs we wanted uh our capability we wanted any capability we were even thinking about developing to be able to

work through this there are tons of different comms methods out there most of them have open source variants that do this so HT HTTP https are the most common if you look at uh any modern rat they communicate with those mechanisms because well all users browse the web unless you're in a closed off Network um and then SMB usually is a really great feature because it allows you to Pivot peer-to-peer internally and so you don't have have to worry about having 100 egress channels um it's also very tough to implement in a in a good correct secure way um and so this was a this was a lofty requirement to kind of lump in at the beginning that's part of our

future kind of road map down the road sure uh and then survivability is really the key feature uh throughout all of these characteristics is um Can it live in the environment is it stable and is it going to uh persist without you know throwing those 237 alerts like we had in that first environment uh for us another big motivator was on that same engagement where we had to rapidly Dev our own malware um we also reverse engineered a custom solution that was present in the environment and so there was a piece of software that was present on the standard image of every workstation in this customer environment so when we reverse engineered it we found a

vulnerability in this software that allowed us to gain access uh as an administrator local administrator on anything that was running the standard image so it was great we found a vulnerability we wanted to weaponize that that into our attack platform and since we didn't really have an attack platform anymore cuz it got destroyed on our first day we decided that a key feature of our uh framework or agent was going to be the extensibility the ability to rapidly develop modules and put them in without having to stand down um your Communications or stand down your Tool uh we wanted it to be easy so we wanted it to be anybody who um could take a Powershell project that already

existed or write their own Powershell project could implement it in the rat since this is a pure power shell post exploitation agent cool so Empire is the result of all that Dev I know Justin said you we kind of motivated on some internal engagements where stuff got burned this has been about nine months of pretty solid Dev kind of in the background so this isn't a one-off script we put a a reasonable amount of effort into this it's about 50 to 70,000 lines something like that and a whole lot of internal convents so Empire is a fully featured Powershell post exploitation a agent probably an easy way to explain to people in one sentence would be it's

kind of like a you know an inner a an asynchronous interactive agent like interpreter but based purely in the Powershell language so the agent is running purely script based all in memory on a Windows host it aims to provide a rapidly extensible platform so we can integrate all this awesome offense and defensive power shell work again this is our hopeful solution to the weaponization problem just like Justin mentioned it's also our attempt to train Defenders on how to stop and respond to Powershell based attacks we also like to have uh agent variability so if we're on an engagement against a mature team we like to be able to use uh commercial tools you know go back to

interpreter or use something like this and Vary our types of lateral spread uh communication and agent coms whenever we're in a network so in case one thing happens to get blocked our entire engagement doesn't uh get torn down so a lot of people have written off Powershell so some people have referred to it just as a toy language there's a lot of people that basically say if you're not writing your agent and C your C++ then it's not real malware and a lot of people have said you know with a with app locker with Windows 10 and all these types of things it's going to be easy to block and defeat Powershell and that's not really

a big deal anymore this has caused a lot of instant responders to overlook it as a malare vector also all the miscommunication with Microsoft about execution policy and system in thinking it's actually protection mechanism has also contributed to this so we wanted to provide a an agent that you can use almost as a proof of concept to people of saying look Powershell is a big deal um it's not just a one-off toy language you can write real malware with it that can inject into different processes which we'll go over and you can do anything you could in something like interpreter pretty much purely in Powershell so the server size so kind of the control server we have this would be

the equivalent of like our listening post we have a client server architecture the server is written entirely in Python multi-threaded uh handlers in the back end and the little client staging code is written entirely in Powershell it's modular and it's kind of multi-art so we have key negotiation like crypto a packetize structure and everything in the back end which we'll go over there's a backend database that preserves agent listener configuration so if everything crashes for some reason you bring it back up your listeners will start back up and because the agents are asynchronous all your agents will come back in so even if they can't reach the server um they're not going to close off

or error out and everything is logged very very extensively this is a really big deal for us on red teams for deconfliction and also um you know like artifact Recreation for blue teams at the end of the engagement so there's a log per agent that has timestamp taskings and results for everything the agent does anytime you upload a file it's going to md5 the file and give you the original location as well as where it's uploaded to and anytime you download stuff it's going to give you the full original path uh basically we wanted to go you know as as in-depth as we could on logging to provide as much data as you can there's even more if you

want to do D- debug that'll dump you know the individual taskings and Communications and all that kind of stuff on the back end but even just by default there's an agent. log for every single agent that checks in that has you know kind of our logging on crack pretty much so the first step that Justin kind of talked about previously execution somehow you need to get your agent executing in memory or on disk on your remote host traditionally this has been a lot of exploits you know using browser exploits you know uh client side flash based stuff we don't really use exploits an incredible amount we use a lot of user-driven attacks we use our s Java

applets we use our macros we use our o embedding and we use user-driven stuff that's not exploit Focus because we find it a bit more reliable but regardless you need to have a way to for Empire to execute a small Powershell command that can load up the core component of the agent so we have different kind of Stager formats is kind of a a an extend extendable modular type of setup so we have VBS stuff we have macros we have self-d deleting bat files we have single commands we have ducky scripts and we also have a reflected dll which is pretty cool so this actually forms the core of some of the process injection later on the presentation but we have a

fully um injectable reflective dll that will stage up a Empire agent that's linked to the server you can take that reflective dll and you can use it in other exploit Frameworks like metlo so you can use the windows DL inject you know verse HTTP or something like that load this as your custom agent and your custom payload and when you deliver some kind of exploit you can have your exploit server or interpreter and have it actually stage up Empire agents to a different uh control server so the listeners this is the server side the whole system you have configurations uh for the staged agents at this point you can change these per listener there's also a bunch of default

values you can all change this stuff in the backend database when it's originally set up we'll go over a couple of these the the things later in the demo I know this is pretty hard to read but you have things like kill dates so you can set the agents to automatically exit after a certain date at the end of your engagement you can do working hours if you only want the agent to communicate you know 9 to5 or you don't want to it to communicate 9 to5 you can have it essentially like sleep and shut down during specified time Windows there's default uh callback intervals and Jitters and stuff there's also different uh communication profiles so

you can change even per agent what the tasking uis are you get a multiple different tasking uis you can change the user agents you can add additional uh indicators into the the the headers of the different HTP Communications so we want to make this as flexible as possible and currently there's HTTP and htps coms I know just to mention we're hopefully going to do DNS andb in the future other additional listener stuff little little tidbits you can dynamically set white list and black list for IPs so if you're on an engagement you notice there's like really pesky Network Defenders from or certain net block that has started poking your server scanning you you can basically you know block up their IP

range and it'll just return a default page or if you're on an external engagement and you want to be uh very controlled in how you're doing fishing you can have just IP from your target organization be accepted to your control server you know we're very risk adverse we don't want stuff to go wrong so we like being very controlled and how we do stuff again the kill days and working hours you can also do foreign listeners to pass sessions between multiple control servers so you can have multiple Empire servers set of form list are naturally have you know different people that are geographically disparate pass sessions to different control servers you can also pass um inject Shell Code

to pass agents to something like an interpreter listener that's on to different host so the Empire staging this is the when you initially trigger a little small little oneline snippet that's kind of a souped up version of the Powershell uh download cradle what it'll do is it'll request a specific URI that you can customize um it's a a static value is going to return back a opy skated little chunk of script this part is just Bas uh it's just exord um we're assuming people are going to be able to decrypt we're assuming this initial AES negotiation key is going to be burned or recoverable by Defenders what will happen is the uh the server will return that this key

negotiation code this exord the client will decode it run it in memory that key negotiation stub will generate a public private key pair that then that stub will take the ades negotiation key encrypt the public key post it back to the server the server then takes that publicly public key and then exchanges some stuff with like Epoch uh time for synchronization and also a randomized as session key after this the communications will start and the point with this is that something called encrypted key exchange it provides something called perfect forward secrecy so even if Defenders are doing a full peap of all this they can't recover the randomized AES session key per agent and then also each AES key is different per

agent so if someone does do a memory analysis they won't be able to decrypt everything in your entire mesh so this is it still me um the C2 in the back end it uses a lot of this these net methods in the back end to actually do the HTP or htps communication it's the net. web client if you guys seen the little IEX new object net. web client thing that's the same type of primitive that's using in the back end again there's nothing too magical here it uses a get and post type structure so the client's going to periodically do get request um if there's nothing that's tasked then the server is going to return a default page that's again this

is customizable if you want to do some other kind of default page if there is tasking uh the server is going to return an encrypted blob that's encrypted with the as session key spec specific for that agent if there's results from the agent it'll post uh encrypted stuff back we do um Cipher block chaining randomized initialization vectors and it's the fully packetized structure underneath we're not saying we did the crypto completely right but we thought a lot about it and we tried our hardest to do it reasonably correctly um crypto is hard crypto is very very hard everyone says don't roll your own crypto and then we tried to roll our own crypto so if

you guys find a problem with this please please please let us know don't just pop our servers or something so once you actually have your interactive um execution with agents it's essentially kind of like a an interactive remote Powershell prompt so you can run any Powershell code that you normally would any of the commandlets like you know get that g- process or something like that or you can run any typical shell commands you can CD dur PS LS all that type of stuff you're used to with normal shell commands for an agent you can also upload and download and all those uh the types of things you would expect from a normal rat we also have

the ability to import specific Powershell scripts what this will do is is it it will take a Opus skated Powershell script and stuff it into an encrypted Block in memory for the agent then you can execute a particular command the script will be decoded um it'll execute a command and get the results this is for things like power viw that we use a lot that have a whole lot of command lists that you want to chain together and just access specific functions you can also build modules for specific Powershell execution things like mimic cats things like tokens we'll go over the the module section here in a second and there's a whole lot of this

in the demo this is the whole you know wanting to try to have a interpreter style module type um functionality you can build this stuff out even customize some things and make it super easy to use without knowing how to like pipe stuff in Powershell so we're going to go through as many uh modules as we can obviously with limited on time we did develop uh I think we're up to 90 modules um we have a bunch still private that we're testing and working on internally so we'll be continuing to support put out modules as we go uh so worth noting that what you see there um you know please feel free to contribute if you are interested in

this kind of thing uh we love public support and public uh research on the project poers shells traditionally something to get hard to get into and so we're trying to spread the awareness and get people in love with it so like I said about 90 modules several more in testing uh we focused more of our first round of modules on things that we actually needed to use in the engagement like I said this this was kind of spurred on by the fact that we had to develop something custom in a very very short time period And so most of the first modules we had were um pulling together all the current projects solving that weaponization

problem and and integrating them into the agent so that we could use them fluidly in an operational environment um again we baited this in several real environments now with customers that we've had tougher times with and so uh it's definitely not perfect I'm sure there are issues but it's been run through some pretty complicated networks uh and it seemed to work very very well in the real world we're going to show some of the top used ones here so there are tons of categories we we break it into category so that it's organized I'm a little bit OCD and so I don't like the fact that modules could just be scattered about when I first year join

the project Will's just like oh there's modules everywhere it's just raining modules uh and there's no names on them they're like module one 2 3 4 5 6 7 8 and so know we took the time to organize it put folders around it uh and try to make it easy to use and jump into um we're going to talk about some of these it's worth noting that uh we kind of break it into the phases of an engagement too and we always like to have a little if anybody does like CCDC we have a troll sploit category for you you can have some fun with it don't use that in a real environment we do we may

or may not have a module that plays thunderstar while maxing out the volume on your computer so yeah without actually popping a window so you know you you you can you can have some fun with that so module development we wanted to make this very easy so what we did is each module is essentially a python metadata container so it's a python script but there's not much set there there's a template that you just take and you set some variabl specific for your module so things like does it require admin what Powershell version does it require um is it obsc safe for example does it drop something's dis once you set those all you have to do is

include your Powershell script that's it that's a module and so any existing Powershell functionality can be turned into a module and have restrictions set around it to work inside the framework our first module that we kind of ran into was well every Defender who knows we're bringing a Powershell toolkit is going to go looking for Powershell and so in Carolina con uh about I don't know five or six months ago uh we released a project called Power pick uh we didn't say it at the time power pick was actually built to support Empire and so power pick was essentially a project which allows you to run Powershell without Powershell there are a couple major components of

it uh there was sharp pick which allow is a c binary which allows you to execute Powershell with C Powershell never spawns in the back end it uses all the net apis uh I took that and we had a big Twitter discussion about whether this was possible to do inside like a C++ binary a guy named Lee Christensen from Silent Brak security did this awesome project where he put out unmanaged Powershell it was a lightweight project written in C C++ that actually implemented the net CLR completely in C++ so with his little executable you could run Powershell and again never start a Powershell prompt I took that and turned it into a reflective dll which made it injectable

using a lot of common tools and then wrote a script called invoke PS injector it's built on power sploits reflective PE injection again I very didn't do anything super original here took a lot of other people's projects I like to make sure they get the credit um and and and stuffed it all together what what this essentially allows us to do is run a Powershell script to inject a reflective dll into a remote process which will then run Powershell in that remote process so when we released it at Carolina con there's like zero interest and we're like because who cares right like power shell and remote processes well when you stuff it into a project

like this it means a lot more and so here's a cute little diagram and how to conquer the internet um basically you have invoke PS injector it's a Powershell script which injects inside of an executable that executable is now running a reflective dll which is reflective pick which drops a net assimil memory which allows you to get an interface into the net backend which then allows you to run Powershell something like a download cradle or our initial staging code which will then call out to the internet and pick up more Powershell to execute only in memory and so nothing touches dis here you gain Powershell execution and remote processes and then we have to have the

token Meme and this is our favorite to always do so yes it can get rather complicated you're running like Powershell and Powershell and Powershell and net inside of C inside of processes that don't belong there um we recognize that it's it's kind of crazy we hopefully abstracted it out um and there's there's plenty more work that can be done to make this more efficient or turn this into Shell Code or or do other things here so one of the first times we actually got this built into the agent will was like well I want to see what this can do and so he goes and he injects this thing into like 25 processor all at the same time and we're

like well this isn't going to be good definitely this thing's going to crash surprisingly as you can see here we actually have our power trell agent running an Elsas and Explorer and services and I don't know pretty much every standard notepad process and nothing crashed uh the agent was pretty stable uh the reflective dll that we wrote that that launches all of this was pretty stable and what it allows you to do is if that Defender knows you you are using a Powershell toolkit and they go kill Powershell you still win U and it forces them to actually look and do perform a full analysis on a system so all joking aside this is going to force

people to start doing proper you know memory analysis uh instead of just killing or looking for encoded commands inside of Powershell prompts they're going to have to dump memory they're going to have to go to work the recover scripts so the next step we use this in an external engagement and we were like well oh crap users use UAC that's been a solved problem for a long time in things like meterpreter or a lot of other offensive projects but when you're using pure Powershell uh when we first worked on it there was no UAC version inside a Powershell uh and so what we had to do is we had to take a step back from the

agent and work on some of the core capabilities we built a bypass UAC version in Powershell again very little original here we essentially took the metas dlls which have been already developed and we took the technique which has been heavily blogged upon by the the person who wrote it uh and implemented inside a Powershell and so what it allows you to do is it allows you to in inject uh using using bypass UAC it allows you to inject the dll you need to inject to get into a high integrity context and spawn our initial Stager so using a lot of the same Technologies here reflective pick is essentially combined with bypass UAC to allow you to get into high integrity

context after a Spearfish all using our agent it's worth noting on the previous slide sorry we've tested up to 81 on this um we've had little situations where it's been flaky we haven't been able to figure out what the flakiness is caused by we i' say we're about 90 to 95% there in test environments with all the different service packs Windows 7 and Windows 81 it should be x86 64 compatible for seven and 81 so if you see certain use cases where you're using it again we invite we love G issues well we're going to learn to love get issues um and we would love you to give us feedback on it so MIM cats you know you can't have a a modern

Windows rat now without using mimic cats and if you don't know what it is and you're a pin tester obviously shame on you um it's everyone's favorite post exploitation capability it lets you do everything from you know pulling PL text credentials out of memory which is what a lot of people use it for but you can also do your keros golden tickets you can do your silver tickets you can actually do pass to Hash or over pass to hash with mimic cats which is what Empire integrates in the back end for its pass the hash capability you could do um skeleton keys on domain controllers like there's an enormous amount of functionality mimic cats that

a lot of people aren't fully aware of that we're hopefully going to try to build some modules for and make it super easy to use and also Empire has an internal credential model if it will automatically parse the results of mimat out mimic cat's output preserve it in a credential model on the back end and then you can reuse those credentials uh on additional modules so if you dump a domain controller ntds.dit which will show in the demo the the KB TGT hash will be saved in the backend and then you can just specify a credit ID to the golden ticket module and have it fill all the information in for you this is just you know what the

actually running the log on passwords module on mimat through Empire looks like you know you set it you can run ex you can hit execute and we have you know a lot of those um options that Justin mentioned specified in the module so we can set it to say it will only run in high high integrity context so it won't try to task an agent with mimic cats unless it knows that it can actually run it all these results will come back and then if you type creds you can actually pull up all the parse and save credentials in the back end so another step that's really common is lateral spread our favorite method for lateral spread is wmi you know pin

testers have been used to using psxe for a long time PS exec is much much noisier than wmi you're creating a service you might be dropping a little bat file loader to disc or something like that we've actually been caught by clients with PS exec they've written some custom signatures and given us every single machine we spread to with PS exec psh so wmi is our go-to luckily there's a really nice native functionality for wmi and Powershell so we've integrated this into into a lateral spread invoke wmi method you can specify a listener and a host it'll execute the little key negotiation stage on the remote host and load everything up into memory without touching this I think it's pretty easy

to use there can be a few um subtleties with wmi we you know if you're interested we can talk about but this is our kind of go-to lateral spread this is what it'll look like and we'll show this in the demo as well see the the module configuration up top you can set computer name for whatever your target is you set your listener name and it's all tab completable we had a big UI Focus you execute and you can get a new agent coming in on your remote system for pivoting system to system without piping something new in through an a different control Channel A lot of people are like well what about past the hash even though

there was a you know supposedly a Microsoft hash the hatch hash hatch last year this is still a really common Vector especially for um domain accounts so the you know the KB 28717 it doesn't fix anything with the uh with domain accounts for Relay nlm authentication I know with some of the new Windows 10 OS stuff they're trying to fix some of these components we'll see if they actually do um it took them several several years to even acknowledge the pass the hash was an issue so you know I'm not too too worried so we'll use the Mimi cats pass the hash module in the background to actually execute this functionality what this will do is it'll spawn a new

process hidden so it won't pop up to the user and it'll be running with the specified credential of whatever whatever you filled in you can then use the credentials token module to do like a steel token and steal the new authenticated token from the hidden created process and then go run around with whatever you want cool is what it'll look like you know if we're up there we'll show this in the no we won't show this in the demo but up here you have like dur of a a remote machine says access denied we have the credential model so you see everything saved up there um you can use the full use credentials mimicas pth or

we also have an accelerator for it which is pth and then a credential ID for that top one it'll inject everything in memory it'll start this P 932 for a hidden process we can steal that token this will inject the token stuff in the back end uh and now we're running with the context of that user only with the hash completely through a Powershell post exploitation agent and there's also a REV to self after you do your token manipulation you can wipe everything back to normal so we were going to attempt the demo gods but then we decided against it so we got a video recorded demo um sorry uh hope you guys still enjoy we we were

going to be a little tight on time here we're trying to cover a lot of material and so we'll talk through this and it'll show pretty solid use case of an average workflow obviously this can get really large there's 90 modules there's lots to play with uh but this will cover basically gaining access to an initial system pivoting off of that hitting another system so this is the main UI when you start it up you'll see the number of mod so we're going to zoom in a second so you can can see it but you have the number of modules loaded the number of Agents you have the number of listeners the first thing we need to do is set up

our listener so we uh we can set it for a particular name this is an alias that can be used for lateral spread or whatever else tab complete it we're not going to set our you know kill dat or working hours we execute it so it actually stands up a thread threaded HTTP server in the back end now we need to produce our uh like launching capability we were going to simulate a fish or something um just for the purpos of the demo we generate a self leading bat we all know users click everything so we actually like to take the bats a lot and do o embedding in uh like a Word document with a different template so

it'll like self- extract run and then delete itself off the disk so I triggered it on a remote system you see the initial agent coming back with a randomized session ID you can actually rename these agents to whatever you want so I'm going to rename it fish user that's will actually change the save folder and all the stuff in the back end so the first thing I'm going to do is I'm going to use power up to run all these credential checks to see if there's a method to privilege escalate on this agent you see uh info this is that kind of module modular uh setup that we talked about again you don't have to know really anything about

Powershell to use this right you get them you send them a fishing payload they run it you can run this uh all these all checks and prives and power up and you don't actually see any power Shell Code yet it's going to test stuff in the back end it's going to kick off a background job a full javied kind of method in the back end and we see that the current user is actually already a local admin but he's running in medium Integrity so you need to run a bypass UAC attack you can use the module or again we have an accelerator because we use it so much so bypass UAC and then you can tab complete your listener name

if you have multiple listeners It'll ask you if it's opsc safe because this is dropping files to disk so this is just you know take a step back make sure you kind of know what you're doing to the system and now we get an agent that comes back is high integrity you see here we actually have a little star for the high integrity agent meaning it we we can actually do our really interesting post exploitation actions we can steal any tokens we can run our mimicat stuff I'm going to rename this agent as well now I'm going to run a PS to see who else is on the system I'll take a second again this is

on like a five second reach back interval so again full asynchronous tasking we have the architecture and everything broken out we see there's this this other user this test lab dfm on there we're going to run the PS inject module that did everything that Justin talked about all of our options now we execute this this will send down a Powershell script to the current running agent that script will inject that reflected dll into the target process that reflected DL will load up all the net runtime which will then kick off our little Powershell uh key negotiation code and now we have a brand new agent running in CMD um running under this different user context

dfm's our boss so of course he's high you know High administrator access in the domain he's the boss again here again with all the UI Focus you see all that stuff that pops up everything is tab completable for all the modules so I can use situational awareness and tab we have broken into host and network so the next module we're going to run is find local admin access what this will do is take your current user token privileges and then query the domain for all machines in the domain and try to open up the service control Handler in every single one of them and quickly close it it's pretty noisy but for the purposes of the demo

it can tell you exactly where you have admin access on the rest of the network very very quickly so we see we have access to primary. test. looc now we're going to do our lateral movement we're going to set the computer name to primary we're going to set the listener and tag complete to our current listener execute it this will task everything in the back end to from your initial pivot run a wmi command to the remote machine which will trigger the staging code and get get a new agent running in a high integrity process coming back under primary I'm going to rename this guy to DC it's actually the domain controller in this test

environment now I'm going to extract all the user hashes on the network the ntds.dit I'm going to use credentials mimicat there's a lot of them broken up in different functionality log on passwords LSA dump gold ticket if you use the LSA dump it'll dump all either the the LSA in a particular host or the ntds.dit on a domain controller if you just want a specific user like kbgt you can specify that this is a pretty small domain so we're going to show just all this data coming back so all the hashes what we do with this output is we actually just save the krbtgt hash for any uh database stumps that come back so we don't have 5,000 people in the back

end now I'm going to go back to my first unprivileged user show that if I try to dur the domain controller I get an access denied because you're unprivileged at this point now I'm going to use the gold ticket module look at the info and you see this cred ID field up here so I can set credit ID to whatever that krbtgt credential ID is for the credential model on the back end that'll fill in the curb hash the domain Sid and all the information you need for a Golden Ticket essentially catalog I'm going to set my user to say I want to be administrator in this I'm going to execute it this will Tas me invoke mimic cats in the

back end build your golden ticket your golden TGT inject it all into memory get nothing's touching disc I think we should get the mimik cat's output here in a second yep so golden ticket for administrator created now if I go back and just do my shell command to say dur you know the domain

controller I have my persistent access again so I could redo my lateral spread if I wanted to I could data mine I could add a user do whatever I want thank you Benjamin [Applause] Deli so we knew we were going to be a little tight on time here so we might move a little quick the slides will be up they're already up on SlideShare for reference so as we keep going here so how do you detect it well just like every other has a lot of similar characteristics of course it's a little less proxy Weare because it's relying on system proxy credentials that it gathers from Windows and so if you have any sort of really tight restricting proxy that

uses like manual credentials to be punched in or things are not stored via the system cache this thing might bounce against the proxy a couple times really good way to pick up malicious things that are not making it out of your network really stand out something worth noting uh High entropy by strings so there's just random encrypted blobs in plain text HTTP we've seen Network heuristics that actually catch on this in very tight environments usually it has to be some sort of very large Cloud product to catch something like that um but it will flag on our comms in this case uh and then our favorite way to do is on endpoints um you're loading net

assemblies and all sorts of Windows processes that don't normally load net assemblies and so there's heris that could be written here to kind of start preventing and guarding yourself against net like this I don't know if Elsas is hosting the Powershell commands uh net assemblies it's probably pretty strange I would recommend you calling incident response if you do memory analysis on this guy right now we have zero opusc on the script in memory we did this on purpose um we want incident responders to do memory analysis and so we we leave this all plain text both the Stager code as well as the full agent you do a memory dump on this and do a strings and

and you set the right strings length you're going to recover the full agent and memory so what exactly will that give you it'll give you the AES keys and this giant nasty thing you'll notice that we do camel case and all sorts of weird casing here we do this to try to prevent any automated detection our goal is to prevent automated detection and to encourage Defenders with the AES key they could then decrypt Network traffic so uh when Windows 10 started talking about Powershell will about quit his job because he thought hacking was over forever because Powershell was going to be stopped I will say it's not like we're giving a talk on a Powershell

agent and then two months before Microsoft actually implements Powershell defenses for the first time and you know seven years we are we are really happy with what we've seen we've done a lot of testing with Windows 10 Microsoft did a great job starting to build in and really focusing on Powershell um it's their really first acknowledgement that Powershell could be used really by really bad guys and that users were having a hard time with it so they did a great job there's actually two main features they added a crazy amount of logging and then they added something called constrain mode built in app Locker which prevents you from using all the net resources we've done some

initial testing um we've been able to get around constrain mode slightly because we we think that it's built on the powershell.exe process and not on the net backend however um it it greatly complim complicates the attack chain our our one feedback would be that who knows when clients are actually going to start turning on app Locker or uh using Windows 10 because let's be honest we still see 2K3 in environments uh it's probably realistically going to take at least two years um and best case scenario before large Enterprises start implementing you know large Windows 10 rollouts as we start testing this and working with it we'll be sure to keep it up to date on the website with what we

know it's compatible with and any um work we do uh with Windows 10 but it's not the end of the world believe it or not so the future what do we want to do in the future well we put up a Powershell website for this um we want we want it to be very very easy so we actually fully documented everything we could to this point including all our backend and staging processes we have a full spec out on it so if anybody's interested in using it that they could figure it out and learn how to use it we're going to put all future updates and videos and different things we work on here for use

so you can go there you can also get it out of GitHub it's been posted about an hour ago um and so you guys can download it it was released for bsides LV it's my first bsid LV so we wanted to drop something nice um and then this will be a long running project so will and I uh really like this we've used it in environment we we think it's really successful for our team and so we'll be supporting it we we'd love to see get issues we'd also like to see pull requests and people to contribute we got we got stop yep oh he gave us the stuff cool um if you guys have questions

we can take questions outside but I think we have to kick everyone out of the room in the next like two minutes you we we do have